Log in

View Full Version : Break on jump to an instruction

NoMoreTears
July 7th, 2006, 15:19
Hi,

Could you suggest a way to set a breakpoint that would be triggered only when the marked instruction (or byte) is called or jumped to? In other words, it shouldn't trigger when it's executed normally after its predecessor.
I'd like to monitor jumps for specific blocks of code, because any jump inside them means an error in my case. A way to log such occurences would also do.

thanks
Nacho_dj
July 8th, 2006, 12:14
Hello:

From OllyDbg:
If you want to break on certain intruction, push F2 on line of instruction selected.

If you want to break on a block of code, Follow in Dump -> Selection the line selected and then below in the left select with the mouse all bytes where you want to get the breakpoint and then Breakpoint -> Memory, on access

Is this working for you?

Cheers

Nacho_dj
NoMoreTears
July 9th, 2006, 02:40
Quote:
[Originally Posted by Nacho_dj]Is this working for you?

Not quite, because it doesn't address the one thing I can't do - such breaks would always trigger, not only when a jump occurs.

Code:


4 instructions, with a breakpoint on 2nd, 4th is jmp:

1 -> [2] -> 3 -> 4



This should break:



      v----------\

1 -> [2] -> 3 -> 4



This should NOT:



/-----v

1 -> [2] -> 3 -> 4
wtbw
July 9th, 2006, 06:37
A really simple way to do this in ollydbg is with ollyscript. I knocked this together quickly for you:

Code:
var $INSTBEFORE

var $INST

ask "address of instruction before desired non-direct breakpoint?"

cmp $RESULT, 0

je Error

mov $INSTBEFORE, $RESULT

bp $INSTBEFORE

findop $INSTBEFORE, #??#

mov $INST, $RESULT

cmp $INST, 0

je Error 

bp $INST

eob Break

run



Break:

cmp eip, $INSTBEFORE

je Equal

pause



Equal:

sti

eob Break

run



Error:

msg "Error!"

ret


This will pause on all breakpoints other than the case you outlined.

If you don't have ollyscript, you can get it from hxxp://cracklab.ru/olya/OLLYSCRIPT%200.92C.zip (a 0.93 version is around, but for some reason it seems to crash on the ask instruction - or am I being silly?)

I have a feeling you're going to ask how to do many of these at once... the easiest way to do this would be to hardcode all the desired addresses into a script which then uses the same technique as above Take a look in the ollyscript readme for a good explanation of all the instructions used.

You could do this much more nicely with your own olly plugin (hmm.. if only I had the time) or with some IDA scripting.

Cheers,

Will
NoMoreTears
July 9th, 2006, 14:12
Quote:
[Originally Posted by wtbw]This will pause on all breakpoints other than the case you outlined.


Thanks for the code

Quote:
I have a feeling you're going to ask how to do many of these at once... the easiest way to do this would be to hardcode all the desired

In this project I use exactly that technique - a proggie of mine creates a list of breakpoints.

Quote:
You could do this much more nicely with your own olly plugin (hmm.. if only I had the time) or with some IDA scripting.

Yeah, in the meantime I've read PDK's manual and created a plugin that does what I wanted (more or less, because of other issues).